SAML could be used for performing anonymous (more precisely pseudonymous) authorization in the following way:
- A user contacts a relying party for a particular service.
- The RP returns a request for a set of attributes that it requires to allow access.
- The user agent formulates a request to its SAML IdP for a signed attribute statement about that set of attributes.
- The IdP returns that statement, signed with its key.
- The client forwards that statement to the RP.
- The RP verifies the signature against the public key of the issuer.
In this scenario, the IdP does not know anything about the RP, and can not associate the particular user request with the public key request from the RP (unless the IdP is really obscure and serves only a very few users). The RP only knows about the attributes that were asserted in the statement.
The obvious drawback is that the IdP has a lot of knowledge about the user. This issue can be mediated by putting a user trusted-broker between the user and the IdP and the user.